I have been talking with the bouncy castle people; they make some good suggestions. One problem with even including the public cert of Apache in the ant and maven distros, is that you have to make sure that that distro isnt subverted first.
I have also been having longer discussions with a colleague who manages security on our (GPL) deployment framework. 1. MD5 is less secure than SHA1. Despite the press that SHA1 has been getting, MD5 collisions can be used to generate evil-twin x509 certs, among other things: http://www.win.tue.nl/~bdeweger/CollidingCertificates/. 2. what about using an SHA1 signature of an archive as its key for retrieval. So instead of saying <library project="org.apache.axis" artifact="axis" version="1.2-RC3" /> mapping to org/apache/axis/axis-1.2-RC3.jar you have <library project="org.apache.axis" artifact="axis" hash="04f3d5aab0" /> mapping to org/apache/axis/axis-04f3d5aab0.jar The advantage here is that by using the # as the version, the build file contains a declaration of what hash is expected, so its easy to verify the version. Nobody can subvert the artifact without changing the # value, and when that happens the filename changes or the name and hash diverge, something that is trivially obvious to any verification routing. The disadvantages -no obvious 'latest version' in the repository -harder to field support calls, "what is the hash of your artifacts"? But maybe version and hash would work. I think the .NET Global Assembly Cache works a bit like this, but am not sure.
